Hello all,
Cassandra has changed and now has a default authentication and
authorization mechanism.
The classes org.apache.cassandra.auth.PasswordAuthenticator (authenticator)
and
org.apache.cassandra.auth.CassandraAuthorizer (authorization) provide that.
They both write to a keyspace called system_auth and there are 2 column
families
that are used for it, namely credentials and permissions.
The permissions table is defined in CassandraAuthorizer as follows:
"CREATE TABLE system_auth.permissions (username text,
resource text,
permissions set<text>,
PRIMARY KEY(username, resource)
) WITH gc_grace_seconds=(90 * 24 * 60 *
60)" // 3 months
The credentials table is created in PasswordAuthenticator as follows:
"CREATE TABLE system_auth.credentials (username text,
salted_hash text, // salt + hash +
number of rounds
options map<text,text>, // for
future extensions
PRIMARY KEY(username)
) WITH gc_grace_seconds=(90 * 24 *
60 * 60)" // 3 months
The password is hashed as BCrypt.hashpw(password,
BCrypt.gensalt(GENSALT_LOG2_ROUNDS)); where
GENSALT_LOG2_ROUNDS is set to 10.
Out of the box, the keyspace system_auth is there but the CFs are not
defined when one issues a describe system_auth inside
cassandra-cli application.
The configuration file says:
PasswordAuthenticator relies on username/password pairs to authenticate
users. It keeps usernames and hashed passwords in system_auth.credentials
table.
Please increase system_auth keyspace replication factor if you use this
authenticator.
On the configuration file /etc/cassandra/cassandra.yaml I have set:
authenticator: org.apache.cassandra.auth.PasswordAuthenticator
authorizer: org.apache.cassandra.auth.CassandraAuthorizer
Therefore I have 3 questions.
1) How can I increase the replication factor if the keyspace system_auth is
already there? Can I do this?
Currently the replication factor is 1:
[cassandra@system_auth] describe;
Keyspace: system_auth:
Replication Strategy: org.apache.cassandra.locator.SimpleStrategy
Durable Writes: true
Options: [replication_factor:1]
Column Families:
2) Shall I create the CFs credentials and permissions via cassandra-cli as
well?
If I issue a select command from cqlsh I can see:
cqlsh:system_auth> SELECT * FROM credentials;
username | options | salted_hash
-----------+---------+--------------------------------------------------------------
cassandra | null |
Eventhough there is no credentials CF defined on the schema yet.
3) What is the process of adding more users? Shall I do via cassandra-cli
and or cqlsh? How shall I specify the read and write privileges as well
as the keyspaces for which it has writes?
Something like this:
OpsCenter.<rw>=carlos
system.<rw>=carlos
system_traces.<rw>=carlos
nando.<rw>=carlos